question on ldap_escape_func in rlm_ldap.c (author: Kostas Kalevras)
Hi All, I'm new to Radius, now encountered problems with ldap_escape_func in rlm_ldap. please help me since it's really a bit urgent. the comments regarding to this function is 'Add an ldap_escape_func. Escape the * character from the filter so that we can avoid the trivial DoS of username=*'. if i was not wrong, this function intends to filter out the * which follows theusername, i.e, if username is 'userid*' in access-request packet, ldapsearch is only based on 'userid'. but what's the purpose for doing this and is it secure? or did i misunderstand the comments? the lastest version freeradius-1.0.5 has a slightly different version for this piece of code, * freeradius-1.0.5 if (strchr("*=\\,()", *in)) { static const char *hex = "0123456789abcdef"; if (outlen = 3) break; *(out++) = '\\'; *(out++) = hex[((*in) 4) 0x0f]; *(out++) = hex[(*in) 0x0f]; outlen -= 3; continue; } ** freeradius-1.0.4 and previous if (strchr("*", *in)) { in++; outlen--; continue; } i couldn't figure out what does the change intend to do, is it to filter out '*', '\\', '()' and '=' from username? and why should it be in that way? please help me. thanks a lot in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question on ldap_escape_func in rlm_ldap.c
Qin Zhen wrote: i couldn't figure out what does the change intend to do, is it to filter out '*', '\\', '()' and '=' from username? and why should it be in that way? please help me. thanks a lot in advance. The function ldap_escape_func() filters all LDAP-specific characters from RFC 2254. This prevents LDAP injection attacks. BTW there's a known bug in this function, you can get a fixed version here. (the patch will be included in next release) http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c?rev=1.122.2.8 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question on ldap_escape_func in rlm_ldap.c
thanks for Nicolas's reply. so in lastest version (1.0.5), a username 'jam\' will be converted into 'jam\5c' and ldapsearch will be based on 'jam\5c' right? so this username is supposed not to be found in ldap in this case? but how come in my server, the ldapsearch will base on 'jam' and those invalid charactors r just simply eliminated? scratching head...pls assist..thanks so much - Original Message - From: Nicolas Baradakis [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, December 07, 2005 6:51 PM Subject: Re: question on ldap_escape_func in rlm_ldap.c Qin Zhen wrote: i couldn't figure out what does the change intend to do, is it to filter out '*', '\\', '()' and '=' from username? and why should it be in that way? please help me. thanks a lot in advance. The function ldap_escape_func() filters all LDAP-specific characters from RFC 2254. This prevents LDAP injection attacks. BTW there's a known bug in this function, you can get a fixed version here. (the patch will be included in next release) http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c?rev=1.122.2.8 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question on ldap_escape_func in rlm_ldap.c
Qin Zhen wrote: so in lastest version (1.0.5), a username 'jam\' will be converted into 'jam\5c' and ldapsearch will be based on 'jam\5c' right? so this username is supposed not to be found in ldap in this case? but how come in my server, the ldapsearch will base on 'jam' and those invalid charactors r just simply eliminated? scratching head...pls assist..thanks so much That's what is said in http://www.ietf.org/rfc/rfc2254.txt If a value should contain any of the following characters Character ASCII value --- * 0x2a ( 0x28 ) 0x29 \ 0x5c NUL 0x00 the character must be encoded as the backslash '\' character (ASCII 0x5c) followed by the two hexadecimal digits representing the ASCII value of the encoded character. The case of the two hexadecimal digits is not significant. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: question on ldap_escape_func in rlm_ldap.c
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Baradakis Sent: 07 December 2005 13:18 To: FreeRadius users mailing list Subject: Re: question on ldap_escape_func in rlm_ldap.c Qin Zhen wrote: so in lastest version (1.0.5), a username 'jam\' will be converted into 'jam\5c' and ldapsearch will be based on 'jam\5c' right? so this username is supposed not to be found in ldap in this case? but how come in my server, the ldapsearch will base on 'jam' and those invalid charactors r just simply eliminated? scratching head...pls assist..thanks so much That's what is said in http://www.ietf.org/rfc/rfc2254.txt If a value should contain any of the following characters Character ASCII value --- * 0x2a ( 0x28 ) 0x29 \ 0x5c NUL 0x00 the character must be encoded as the backslash '\' character (ASCII 0x5c) followed by the two hexadecimal digits representing the ASCII value of the encoded character. The case of the two hexadecimal digits is not significant. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question on ldap_escape_func in rlm_ldap.c
Hi, thanks Nicolas. sorry to trouble u, but i am still not so clear abt the lastest freeradius's behaviour. suppose there is an username 'james', when i trys to login with username 'james*', ldap_escape_fun acctually converts it into 'james\2a\2a\2a\2a\2a\2a...', but the radius debug mode still shows Debug: rlm_ldap:performing search in dc=sg, o=company, with filter (objectclass=radiusprofile)(userlogin=james)) that measn ldap still search based on filter 'userlogin=james' and ignores those '\2a\2a\2a' followed, and hence it finds the username 'james' from ldap and allows the user to login. is it the way lastest freeradius supposed to be? or there's anyth wrong with my configuration? if user james can use 'james*' or 'james\\' to login as usual, isnt it unsecure? thanks really a lt! - Original Message - From: Nicolas Baradakis [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, December 07, 2005 9:17 PM Subject: Re: question on ldap_escape_func in rlm_ldap.c Qin Zhen wrote: so in lastest version (1.0.5), a username 'jam\' will be converted into 'jam\5c' and ldapsearch will be based on 'jam\5c' right? so this username is supposed not to be found in ldap in this case? but how come in my server, the ldapsearch will base on 'jam' and those invalid charactors r just simply eliminated? scratching head...pls assist..thanks so much That's what is said in http://www.ietf.org/rfc/rfc2254.txt If a value should contain any of the following characters Character ASCII value --- * 0x2a ( 0x28 ) 0x29 \ 0x5c NUL 0x00 the character must be encoded as the backslash '\' character (ASCII 0x5c) followed by the two hexadecimal digits representing the ASCII value of the encoded character. The case of the two hexadecimal digits is not significant. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question on ldap_escape_func in rlm_ldap.c
Qin Zhen wrote: when i trys to login with username 'james*', ldap_escape_fun acctually converts it into 'james\2a\2a\2a\2a\2a\2a...', but the radius debug mode still shows Debug: rlm_ldap:performing search in dc=sg, o=company, with filter (objectclass=radiusprofile)(userlogin=james)) that measn ldap still search based on filter 'userlogin=james' and ignores those '\2a\2a\2a' followed, and hence it finds the username 'james' from ldap and allows the user to login. is it the way lastest freeradius supposed to be? No, it's a known bug in FreeRADIUS 1.0.5. That's why I told you earlier to get a fixed version in CVS. if user james can use 'james*' or 'james\\' to login as usual, isnt it unsecure? I think james* (without escaping) in a LDAP filter is insecure, it may disclose informations about other users named jamesfoo or jamesbar ... -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html